mod_http_oauth2: Bail out of implicit flow on invalid or missing redirect
Probably hasn't been tested, and maybe never will since it's disabled
and more or less deprecated in OAuth 2.1
--- a/mod_http_oauth2/mod_http_oauth2.lua Fri May 05 21:32:34 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Sat May 06 12:23:22 2023 +0200
@@ -337,6 +337,7 @@
local token_info = new_access_token(granted_jid, granted_role, granted_scopes, client, nil);
local redirect = url.parse(get_redirect_uri(client, params.redirect_uri));
+ if not redirect then return 400; end
token_info.state = params.state;
redirect.fragment = http.formencode(token_info);